Task: Define and Assign a Custom Initiative

Video: Resource Policies and Initiatives in Action

Estimated time: 15 minutes

Goal

The goal of this task is to create a custom policy and a custom initiative. The policy is created from the command line using a custom json definition file. The custom initiative then combines the custom policy with a built-in policy.

Note: If you are creating a custom purpose-built policy, it is likely easier to add all settings in a single policy rather than creating a separate policy and initiative. Also, the policy that you create for this task can be implemented with a built-in policy but is used to provide a simple example of a custom policy.

Pre-requisites

1. Non-production Azure subscription
2. An Azure AD cloud user named tasks for testing access

Requirements

1. Requirement 1: Define a custom policy
2. Requirement 2: Define a custom initiative
3. Requirement 3: Apply a custom initiative
4. Requirement 4: Test a custom initiative

Pre-requisite setup

You can create a new Azure AD user from the bash cloud shell by running the following command (substitute your values for the domain name and password):

az ad user create --display-name tasks --password <your password> --user-principal-name tasks@<your domain> --force-change-password-next-login false

Example

az ad user create --display-name tasks --password B@dPa55word! --user-principal-name tasks@inedemos.onmicrosoft.com --force-change-password-next-login false

Requirement 1: Define a custom policy

To complete this requirement you must create a custom policy named restrictedVM. The policy must meet the following requirements:

• Restrict virtual machine size to Standard_D2S_V3.
• Allow any other types of resources.

The json for the policy definition is as follows:

{
    "if": {
        "allof": [
            {
                "field": "type",
                "equals":"Microsoft.Compute/VirtualMachines"
            },
            {
                "not":{
                    "field":"Microsoft.Compute/virtualMachines/sku.name",
                    "in":[
                        "Standard_D2s_v3"
                    ]
                }
            }
        ]
    },
    "then": {
        "effect": "deny"
    }
}

Requirement 2: Define a custom initiative

To fulfill requirement 2, you must create an initiative named location-and-vm in your Azure subscription. Use the General category. The initiative must apply the following policies: - The restrictedVM custom policy. - The Allowed Locations built-in policy. - Set the location restriction to EastUS.

Requirement 3: Apply a custom initiative

For this requirement you must create a resource group named task-policy-rg in the East US region. Apply the location-and-vm initiative to the resource group.

Requirement 4: Test a custom initiative

Finally, you will test the initiative. Attempt to create the following in the task-policy-rg resource group:

• A network security group named policy-nsg in the East US region.
• A storage account with a unique name in the West US region.
• A Standard_D2S_V3 Ubuntu 18.04 virtual machine named policy-linux-vm in the EastUS region. (Choose valid options or defaults for all other settings).
• A Standard_A2 Windows 2016 virtual machine named policy-win-vm in the EastUS region. (Choose valid options or defaults for all other settings).

Cleanup

When you have finished this task, delete the task-policy-rg resource group, the location-and-vm initiative, and the restrictedVM custom policy.